On Mon, Jun 9, 2014 at 3:30 PM, Greg KH <gregkh(a)linuxfoundation.org> wrote:
On Wed, May 28, 2014 at 11:09:58PM -0400, Eric Paris wrote:
> From: Andy Lutomirski <luto(a)amacapital.net>
>
> Fixes an easy DoS and possible information disclosure.
>
> This does nothing about the broken state of x32 auditing.
>
> eparis: If the admin has enabled auditd and has specifically loaded audit
> rules. This bug has been around since before git. Wow...
>
> Cc: stable(a)vger.kernel.org
> Signed-off-by: Andy Lutomirski <luto(a)amacapital.net>
> Signed-off-by: Eric Paris <eparis(a)redhat.com>
> ---
> kernel/auditsc.c | 27 ++++++++++++++++++---------
> 1 file changed, 18 insertions(+), 9 deletions(-)
Did this patch get dropped somewhere? Isn't it a valid bugfix, or did I
miss a later conversation about this?
Hmm. It seems that it didn't make it into Linus' tree. Crap.
IMO we need some kind of real tracking system for issues reported to
security@. This shouldn't have been possible (and if I'd realized
that the patch got dropped, I wouldn't have publicly disclosed it).
For whoever applies this: it's CVE-2014-3917.
--Andy